b'AUDIT OF THE FDIC\xe2\x80\x99S STRATEGIC PLANNING FOR\n  INFORMATION TECHNOLOGY RESOURCES\n\n\n\n             Audit Report No. 00-013\n                March 31, 2000\n\n\n\n\n             OFFICE OF AUDITS\n\n      OFFICE OF INSPECTOR GENERAL\n\x0c                         TABLE OF CONTENTS\n\n\n\nBACKGROUND                                                     1\n\nOBJECTIVE, SCOPE, AND METHODOLOGY                              3\n\nRESULTS OF AUDIT                                               4\n\nSIGNIFICANT PROGRESS MADE ON FDIC\xe2\x80\x99S IT\nINVESTMENT ANALYSIS PROCESS; ADDITIONAL\nOPPORTUNITIES FOR IMPROVEMENT EXIST                            5\n\nLong-Range Strategic Planning Can Enhance FDIC\xe2\x80\x99s\nIT Decision-making                                             6\n\n      Recommendation                                           8\n\nBetter Controls Needed Regarding Reallocation of Funds\nfor Approved IT Projects                                       8\n\n      Recommendation                                           10\n\nProcedures for Categorizing IT Investments Need Improvement    10\n\n      Recommendation                                           11\n\nProcedures Needed to Prioritize \xe2\x80\x9cOther Development\xe2\x80\x9d Spending   11\n\n      Recommendation                                           12\n\nIMPROVEMENTS NEEDED IN IT PERFORMANCE\nMEASUREMENT AND REPORTING                                      12\n\nNeed for Overall IT Performance Measurement and Reporting      12\n\n      Recommendation                                           14\n\nImprovements Needed in Measuring Performance on\nIndividual IT Projects                                         14\n\n      Recommendations                                          17\n\x0cOpportunities for Improvements in the Post\nImplementation Review Process                    18\n\n      Recommendations                            20\n\nCONCLUSION                                       20\n\nCORPORATION COMMENTS AND OIG EVALUATION          20\n\nAPPENDIX I \xe2\x80\x93 MEMORANDUM: DIRM\xe2\x80\x99S COMMENTS         23\n\nAPPENDIX II \xe2\x80\x93 MEMORANDUM: CFO\xe2\x80\x99S/DOF\xe2\x80\x99S COMMENTS   30\n\nAPPENDIX III \xe2\x80\x93 TABLE: MANAGEMENT RESPONSES TO\n               RECOMMENDATIONS                   31\n\x0cFederal Deposit Insurance Corporation                                                      Office of Audits\nWashington, D.C. 20434                                                         Office of Inspector General\n\n\n\n\n   DATE:                         March 31, 2000\n\n   MEMORANDUM TO:                Donald C. Demitros, Director\n                                 Division of Information Resources Management and\n                                 Chief Information Officer\n\n                                 Chris Sale, Chief Financial Officer\n\n\n\n\n   FROM:                         David H. Loewenstein\n                                 Assistant Inspector General\n\n   SUBJECT:                      Report Entitled Audit of the FDIC\xe2\x80\x99s Strategic Planning for\n                                 Information Technology Resources (Audit Report No. 00-013)\n\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed an audit of the FDIC\xe2\x80\x99s strategic planning for information technology (IT) resources.\n   The overall objective of this audit was to evaluate the effectiveness of the FDIC\'s strategic\n   planning process and practices related to acquiring, developing, and managing IT resources.\n   Significant improvements were made to the strategic IT planning processes during 1999. Our\n   audit identified further opportunities for the FDIC to improve the manner in which it selects,\n   manages, and evaluates major investments in IT.\n\n   This report contains 10 recommendations designed to improve the FDIC\xe2\x80\x99s IT strategic planning\n   processes. One recommendation is addressed to the Chief Financial Officer and the remaining\n   nine recommendations are addressed to the Director of Division of Information Resources\n   Management (DIRM) and Chief Information Officer (CIO). The nine recommendations\n   addressed to the Director, DIRM and CIO, are made in connection with his responsibilities as\n   chairman of the IT Technical Committee and as a member of the IT Council.\n\n\n   BACKGROUND\n\n   The FDIC invested approximately $217 million in IT resources during calendar year 1999. This\n   amount represents approximately 18 percent of the Corporation\xe2\x80\x99s $1.2 billion annual budget for\n   1999. The FDIC\xe2\x80\x99s IT budget for 2000 is approximately $204 million. DIRM categorized\n   approximately $146 million of the $204 million as \xe2\x80\x9cnon-discretionary.\xe2\x80\x9d Non-discretionary\n   investments are those necessary to maintain the FDIC\xe2\x80\x99s IT program, including DIRM\xe2\x80\x99s ongoing\n   operations, application maintenance, telecommunications, and mainframe and local area network\n   operations. DIRM categorized the remaining $58 million of the IT budget as \xe2\x80\x9cdiscretionary.\xe2\x80\x9d\n   Discretionary investments are intended to enhance FDIC operations but are not essential to\n\x0cmaintain the FDIC\xe2\x80\x99s IT program. They include new systems development, technical initiatives,\nand the completion of systems development and other initiatives started in prior years.\n\nIn addition, because of its growing significance in the IT budget, our report highlights an\ninvestment category that the FDIC identifies as \xe2\x80\x9cOther Development.\xe2\x80\x9d The Technical\nCommittee has defined Other Development as discretionary investments in new or existing\nsystems that have individual budgets of less than $200,000. The FDIC budgeted approximately\n$12 million1 for Other Development projects for 2000. This amount represents an increase of\n123 percent over the $5.4 million approved in the 1999 IT budget. The large amount of\nresources that the FDIC invests in IT each year underscores the need for an effective IT decision-\nmaking process that ensures that these resources produce meaningful results and address the\nstrategic goals and objectives of the Corporation.\n\nLegislation such as the Clinger-Cohen Act (Clinger-Cohen) of 19962 and the Paperwork\nReduction Act (PRA) emphasizes the need for federal agencies to establish efficient and\neffective processes for selecting, managing, and evaluating major investments in information\nsystems. The Government Performance and Results Act (GPRA) requires agencies to set goals,\nmeasure performance, and report on their accomplishments. As such, an agency\xe2\x80\x99s IT\ninvestments should directly support the accomplishment of these goals. In addition, Clinger-\nCohen requires agencies to adopt an investment process that provides for the continual\nidentification, selection, control, life-cycle management, and results evaluation of IT projects.\nClinger-Cohen also requires agencies to establish performance measures for IT investments to\nevaluate how well IT supports agency programs.\n\nGovernment oversight agencies, such as the Office of Management and Budget (OMB) and the\nU.S. General Accounting Office (GAO), have issued reports and guidance to assist agencies in\ncomplying with the IT requirements of the referenced legislation. Based on the practices of\nleading public-sector and private-sector organizations, the OMB and GAO reports and guides\ndefine the following three basic phases for successful IT decision-making:\n\n\xe2\x80\xa2   Selection - During the selection phase, organizations are instructed to set priorities and\n    decide which IT projects will be funded. Cost, benefit, and risk factors should be considered\n    and IT investments compared, ranked, and prioritized. Critical to the selection phase is the\n    availability of accurate and up-to-date cost, risk, schedule, and benefit information.\n\n\xe2\x80\xa2   Control - The control phase involves monitoring the progress of IT projects against\n    projected costs, risks, schedules, and benefits. Decisions made during the control phase\n    include whether to cancel a project, modify it to better meet mission requirements, accelerate\n    development, or continue development as planned.\n\n\n\n\n1\n The Other Development budget of $12 million is included within the $58 million discretionary budget.\n2\n The Clinger-Cohen Act of 1996 was formally known as the Information Technology Management\nReform Act (ITMRA) of 1996.\n\n                                                  2\n\x0c\xe2\x80\xa2   Evaluation - The third phase, evaluation, involves performing post-implementation reviews\n    of fully implemented or canceled projects to analyze and compare costs, schedules, and\n    benefits with what was actually experienced.\n\nProject selection, control, and evaluation represent a continual, integrated management\napproach for managing IT investments.\n\nTo ensure a corporate perspective for IT strategic planning, the FDIC established an IT Council\nin 1996. The Council is responsible for providing strategic IT direction for the Corporation,\nreviewing and/or approving major IT initiatives, recommending an annual IT budget to the\nFDIC\xe2\x80\x99s Board of Directors, and measuring the performance of the FDIC\xe2\x80\x99s IT activities. The\nCouncil is chaired by the Deputy to the Chairman and Chief Operating Officer and is comprised\nof the directors of all of the FDIC\xe2\x80\x99s divisions, the Chief Financial Officer, and the General\nCounsel.\n\nThe FDIC also established an IT Technical Committee to provide support for the IT Council and\nto meet the Corporation\xe2\x80\x99s need for ongoing IT investment management and monitoring. The\nTechnical Committee is responsible for evaluating and recommending approval of IT policies,\nmanaging key aspects of the IT budget, assessing the performance of major IT initiatives, and\ndeveloping information to support IT Council decisions. The Technical Committee is chaired by\nthe DIRM Director, who is also the FDIC\xe2\x80\x99s CIO, and is comprised of senior level managers\nrepresenting all of the FDIC\xe2\x80\x99s divisions and offices.\n\nThe Technical Committee initiated the planning process to develop the 2000 IT budget in March\n1999. The charter of the Technical Committee stipulates that meetings are to be held on a\nmonthly basis, with additional meetings held as necessary to accomplish the committee\xe2\x80\x99s\nresponsibilities. The committee met frequently throughout 1999 to discuss IT issues. For\nexample, during the period July 1999 through September 1999, the Technical Committee met 15\ntimes to discuss the FDIC\xe2\x80\x99s strategic needs and to develop the 2000 IT budget.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to evaluate the effectiveness of the FDIC\'s strategic planning\nprocess and practices related to acquiring, developing, and managing IT resources. Our audit\nevaluated the effectiveness of the FDIC\xe2\x80\x99s investment analysis process that was used to fund IT\ninvestments and establish their relative importance. The audit also evaluated the effectiveness of\nthe FDIC\xe2\x80\x99s processes for monitoring and evaluating IT investments, including the procedures\nused to categorize IT projects. In addition, the audit evaluated the role of the IT Council and\nTechnical Committee in managing the FDIC\'s IT investments and ensuring that strategic IT\nplanning was performed from a corporate perspective.\n\nTo accomplish the audit\xe2\x80\x99s objective, we interviewed key DIRM staff and representatives of the\nFDIC\xe2\x80\x99s Technical Committee that were responsible for performing the FDIC\xe2\x80\x99s strategic IT\nplanning. We also attended 2 IT Council and 24 Technical Committee meetings to observe\nwhether and how IT investments were monitored, funded, and evaluated from a corporate\n\n\n                                                3\n\x0cperspective. In addition, we reviewed key strategic planning documents, such as the FDIC IT\nStrategic Plan, division-level IT strategic plans, and DIRM\xe2\x80\x99s Annual Performance Plan to\ndetermine how the FDIC\xe2\x80\x99s IT program was being planned and monitored. We also reviewed key\nperformance measurement documents, such as the Client IT Plans generated from DIRM\xe2\x80\x99s Lotus\nNotes database, DIRM status reports, and quarterly performance reports to evaluate the adequacy\nof performance measurement information being reported to FDIC management.\n\nWe reviewed cost, schedule, and risk data that was used to prioritize, fund, monitor, and evaluate\nthe FDIC\xe2\x80\x99s IT investments. We also spoke with representatives of the General Services\nAdministration (GSA) and GAO to determine how other federal agencies employ strategic\nplanning to manage their IT programs. In addition, we reviewed key legislation, such as the\nClinger-Cohen Act, PRA, and GPRA, to determine whether the FDIC\xe2\x80\x99s strategic IT planning\nprocess and practices satisfied the basic tenets of this legislation.\n\nWe conducted the audit between April 1999 and December 1999 in accordance with generally\naccepted government auditing standards. Our review focused on evaluating the IT planning\nprocess in a real-time mode as it was happening. We provided input and feedback to\nmanagement on observations we had on the IT planning process throughout our review.\n\n\nRESULTS OF AUDIT\n\nThe FDIC\xe2\x80\x99s IT strategic planning process has been evolving and improving since 1996 when the\nCorporation established the planning structure and process currently in use. The FDIC continued\nto implement significant improvements to its strategic IT planning process and practices during\n1999. For the first time since its establishment in 1996, the Technical Committee was successful\nin developing a proposed IT budget that prioritized discretionary spending from a corporate\nperspective. That is, rather than each program office performing IT planning from a divisional\nor office perspective, the Technical Committee focused on prioritizing projects from a corporate\nperspective. Prioritizing IT investments has been recognized as a best practice of leading\norganizations and is a key tenet of recent IT legislation. The Technical Committee also\ndeveloped a formal strategic IT direction with each FDIC division and implemented a post-\nimplementation review (PIR) program to assess the quality of its system development projects\nand improve overall IT management.\n\nAlthough the FDIC has made meaningful progress in selecting, managing, and evaluating its IT\ninvestments from a corporate perspective, opportunities for further improvement exist.\nSpecifically, more attention to long-range strategic planning would allow the Technical\nCommittee to consider alternative solutions to the FDIC\xe2\x80\x99s IT needs and result in a more\nsubstantive evaluation of IT spending. Planned control improvements to better control IT\nresource reallocations will help ensure that IT spending is based on corporate, rather than\ndivisional, priorities.\n\nIn addition, improvements in how DIRM categorizes its IT investments would result in a more\nstrategically focused IT budget that ensures IT spending is prioritized from a corporate\nperspective. Providing the Technical Committee with additional time and information during the\n\n\n                                                4\n\x0cplanning process can also improve planning and evaluation of IT investments categorized as\n\xe2\x80\x9cOther Development.\xe2\x80\x9d Approximately $12 million budgeted for Other Development initiatives\nfor 2000 were not evaluated by the Technical Committee.\n\nWhile the FDIC established formal strategic IT goals and objectives in the FDIC IT Strategic\nPlan, it needs to better measure its performance in accomplishing such goals and objectives.\nDIRM had not developed an ongoing mechanism for reporting overall IT performance\ninformation to the IT Council or Technical Committee. In addition, the FDIC was not tracking\nor reporting total life cycle costs on individual IT projects. Accordingly, it was not possible for\nthe FDIC to compare actual costs and benefits with those estimated at the time a project was\napproved. Measuring performance against established goals and objectives is a fundamental\nprinciple of GPRA. Performance measurement information is critical for determining whether\nthe FDIC\xe2\x80\x99s IT investments deliver promised benefits and meet the business goals and objectives\nof the Corporation. Performance measurement information also serves as an early indicator of\npotential problems and encourages managerial accountability by linking information about\nprogram outcomes to established goals.\n\nFinally, because DIRM\xe2\x80\x99s PIR program was in the early stages of implementation at the time of\nour audit, we were unable to fully evaluate its effectiveness in improving the FDIC\xe2\x80\x99s IT\nmanagement processes. However, we did identify opportunities for the FDIC to improve its PIR\npractices. Specifically, DIRM can ensure more meaningful evaluations of the FDIC\xe2\x80\x99s systems\nby focusing its limited PIR resources on a single type of PIR review. We also identified a need\nfor greater independence of PIR team members and more detailed analysis and presentation of\ncost, schedule, and requirements projections.\n\n\nSIGNIFICANT PROGRESS MADE ON FDIC\xe2\x80\x99S IT INVESTMENT ANALYSIS\nPROCESS; ADDITIONAL OPPORTUNITIES FOR IMPROVEMENT EXIST\n\nThe FDIC implemented significant improvements to its IT investment analysis process and used\nthis improved process to develop the 2000 IT budget. For the first time since its establishment in\n1996, the Technical Committee was successful in developing a proposed IT budget that\nprioritized discretionary IT spending from a corporate perspective. The Technical Committee\nprioritized discretionary IT spending by evaluating individual IT investments against a standard\nset of criteria. The criteria included consideration of the investment\xe2\x80\x99s cost, schedule and scope\nrisk and its effectiveness in accomplishing FDIC\xe2\x80\x99s strategic goals, objectives and mission.\nTechnical Committee members assigned numerical scores for each discretionary IT investment\nand averaged these scores to determine the investment\xe2\x80\x99s relative priority ranking. Prioritizing IT\ninvestments has been recognized as a best practice of leading organizations and is a key tenet of\nlegislation related to the acquisition and use of IT resources.\n\nThe Technical Committee also developed a formal strategic IT direction with each FDIC\ndivision to identify key technology issues and requirements associated with the FDIC\xe2\x80\x99s business\nneeds. Specifically, FDIC divisions developed long range strategic IT plans describing the data,\napplication development, and technical architecture requirements that would be needed to\n\n\n\n                                                 5\n\x0csupport their future business needs. Although the FDIC made meaningful progress in developing\nits IT investment analysis process, opportunities for further improvement exist.\n\nCompressed timeframes associated with the Corporation\xe2\x80\x99s annual budgeting process limited the\nTechnical Committee\xe2\x80\x99s ability to make long-term strategic IT decisions. The Technical\nCommittee attempted to plan for the FDIC\xe2\x80\x99s strategic IT needs during the same 4-month time\nframe that it developed the 2000 IT budget and addressed other IT issues. In our opinion,\nallotting additional time for strategic planning will enhance the Technical Committee\xe2\x80\x99s ability to\naccomplish this work. Further, the FDIC\xe2\x80\x99s IT decision-making processes will be improved if\nlong-range strategic IT planning is done before the corporate annual budgeting process begins.\n\nLimited time also prevented the Technical Committee from performing a meaningful evaluation\nof major non-discretionary IT investments. Although DIRM provided the Technical Committee\nwith a presentation of the FDIC\xe2\x80\x99s non-discretionary IT investments, the Technical Committee\ndid not have an opportunity to evaluate alternative solutions for the FDIC\xe2\x80\x99s non-discretionary IT\ninvestments where appropriate. The information and documentation that was provided for non-\ndiscretionary IT expenditures was not as comprehensive as that provided for discretionary\nexpenditures. The Technical Committee also did not have time to validate the consistency,\nreasonableness, or accuracy of cost and risk estimates underlying non-discretionary investments.\nIn an effort to further improve the planning process, we plan to perform a separate review of\nDIRM\xe2\x80\x99s non-discretionary IT expenditures in 2000. This review will include an evaluation of\nhow non-discretionary IT investments are selected, priced, and reported.\n\nImproved controls over IT resource reallocations will also ensure that IT spending is based on\ncorporate, rather than divisional, priorities. In addition, improvements in how DIRM categorizes\nits IT investments will result in a more strategically-focused IT budget and a more efficient IT\nfunding process. Finally, procedures to evaluate and prioritize Other Development investments\nwill ensure that IT spending is prioritized from a corporate perspective.\n\nLong-Range Strategic Planning Can Enhance FDIC\xe2\x80\x99s IT Decision-making\n\nDIRM and the Technical Committee planned for the FDIC\xe2\x80\x99s IT investments annually as part of\nthe corporate annual budgeting process. During the period July 1999 through September 1999,\nthe Technical Committee held 15 meetings to discuss the FDIC\xe2\x80\x99s strategic IT needs and develop\nthe 2000 IT budget. During August 1999, the Technical Committee formally evaluated and\nprioritized 95 discretionary IT investments, valued at approximately $84 million. During this\nsame period, the Technical Committee received presentations from DIRM on an additional 99\nnon-discretionary IT investments totaling approximately $146 million. Although the non-\ndiscretionary IT investment presentations provided the Technical Committee with valuable\ninformation, they did not contain the same level of detail as discretionary investments. For\nexample, presentations of non-discretionary IT investments did not include 5 year life cycle cost\nand benefit estimates or a written plan describing the project. Technical Committee members\nplanned and budgeted for the FDIC\xe2\x80\x99s IT investments while continuing to perform their regular\nprogram office duties.\n\n\n\n\n                                                6\n\x0cThe significant amount of analysis required to develop the 2000 IT budget, combined with\ncompressed timeframes associated with the Corporation\xe2\x80\x99s annual budgeting process, limited the\nTechnical Committee\xe2\x80\x99s ability to plan for the FDIC\xe2\x80\x99s IT needs beyond 2000. We believe that the\nFDIC can better ensure that its business goals and objectives are being addressed by performing\nlong-range strategic IT planning before the corporate annual budgeting process begins.\nDeveloping long-term IT strategies at the beginning of the calendar year could also improve the\nefficiency and effectiveness of the IT budgeting process by allowing Technical Committee\nmembers to become more familiar with major IT investments before making funding decisions\nabout them. Long-term planning strategies that could be considered by the Technical\nCommittee, in conjunction with DIRM senior management, include the use of benchmarks or\nother measurements to evaluate the costs of DIRM\xe2\x80\x99s ongoing operations and application\nmaintenance and the use of contractor versus in-house resources. Evaluating the cost-benefit of\nleasing versus purchasing hardware and software is another example of the type of strategies that\ncould be considered if Technical Committee members had more lead-time.\n\nAlthough the FDIC developed an annual long-range IT Strategic Plan, it needed to update the\nplan to reflect the FDIC\xe2\x80\x99s current IT priorities and strategies and to use the plan in the annual IT\nplanning and budgeting process. Members of the Technical Committee agreed that long-range\nstrategic IT planning was needed to ensure that the business needs of the Corporation were being\naddressed in an optimal manner. Expansion of long-range strategic IT planning will introduce\nnew opportunities for DIRM to partner with the FDIC\xe2\x80\x99s program managers in making key IT\ndecisions. We recognize that long-range strategic planning for all of the FDIC\xe2\x80\x99s major IT\ninvestments cannot be accomplished in one year. However, phasing in long-range planning,\nwhere appropriate, will allow for a more in-depth review of the FDIC\xe2\x80\x99s major IT investments on\na less frequent basis.\n\nLimited time during the IT planning and budgeting process prevented the Technical Committee\nfrom thoroughly evaluating the FDIC\xe2\x80\x99s non-discretionary IT investments. Non-discretionary\ninvestments included DIRM\xe2\x80\x99s ongoing operations, application maintenance, and other required\nexpenditures to maintain the FDIC\xe2\x80\x99s IT program. Non-discretionary investments accounted for\napproximately 71 percent of the FDIC\xe2\x80\x99s proposed $204 million IT budget for 2000.\n\nWhile DIRM provided the Technical Committee with a presentation of the FDIC\xe2\x80\x99s non-\ndiscretionary IT investments, the Technical Committee relied almost exclusively on DIRM to\ndevelop and evaluate these investments. Members of the Technical Committee informed us that\nthey were uncomfortable with some non-discretionary IT investments because alternative\nsolutions were not presented. Instead, only one approach was presented to the Technical\nCommittee. As an example, several Technical Committee members questioned whether\nalternatives existed for approximately $12 million in non-discretionary investments related to\nsecurity. These members felt that the FDIC may have been able to postpone the expenditure of\nsome of these resources until 2001 or later to allow other discretionary IT projects on the\nprioritized list to be funded in 2000. However, they did not feel that they were provided enough\ninformation to formally question the non-discretionary budget items.\n\nWe recognize that some highly technical and complex decisions are best made by DIRM\xe2\x80\x99s\ntechnical experts. Additionally, DIRM\xe2\x80\x99s day-to-day operational activities should be addressed\n\n\n                                                 7\n\x0cby DIRM management. However, we believe there are major segments of the non-discretionary\nIT budget that the Technical Committee should evaluate more thoroughly. Expanding the\nplanning process would provide the opportunity for DIRM to present cost-benefit information to\nthe Technical Committee regarding options to be considered for significant non-discretionary\ninvestments.\n\nPerforming long-range strategic planning in advance of the actual IT budget process would allow\nthe Technical Committee more time to independently review and validate the consistency,\nreasonableness, and accuracy of assumptions and estimates used to develop non-discretionary IT\ninvestments. Earlier planning would also afford the Technical Committee a better understanding\nof non-discretionary IT investments before funding decisions are made about them.\n\nOn November 9, 1999, the Technical Committee met to discuss how the IT investment analysis\nprocess might be improved in 2000. An additional meeting was held on December 9, 1999,\nwherein the Technical Committee decided to hold a series of weekly meetings beginning in\nJanuary 2000 to identify and take early action on key strategic IT issues facing the Corporation.\nOne strategic area that the Technical Committee planned to address was service level agreements\n(SLA)3 with program divisions and offices for local area network and wide area network support.\nChanges in DIRM\xe2\x80\x99s current service levels could result in reduced levels of services and related\ncost reductions. The Technical Committee also planned to acquire a better understanding of cost\nelements comprising the application maintenance portion of the FDIC\xe2\x80\x99s non-discretionary IT\nspending. Maintenance represented approximately $32 million of the FDIC\xe2\x80\x99s $204 million IT\nbudget for 2000. We believe these are positive steps that will further improve the IT planning\nprocess for 2001.\n\nRecommendation\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(1)     Work with the Technical Committee to implement a long-range strategic IT planning\n        process that would provide the Committee the opportunity to become more involved in\n        evaluating major components of the FDIC\xe2\x80\x99s annual IT budget at an earlier point in time.\n\nBetter Controls Needed Regarding Reallocation of Funds for Approved IT Projects\n\nThe FDIC\xe2\x80\x99s improved IT strategic planning process for calendar year 2000 prioritized\ndiscretionary IT investments from a corporate perspective. In prior years, IT investments were\nselected by FDIC program offices from a divisional perspective. That is, each division proposed\nand promoted its own IT investments, although projects from other divisions might have had a\ngreater overall impact on the Corporation. The 2000 IT planning process required each\nTechnical Committee member to evaluate and score all proposed projects based, in part, on the\n\n\n\n3\n  SLAs are formal documents that define a specific level of IT support to be provided for a client. SLAs\nallow IT personnel to focus on planning, service delivery, and providing program offices with expected\nlevels of IT support.\n\n                                                    8\n\x0cproject\xe2\x80\x99s importance in addressing the Corporation\xe2\x80\x99s strategic business goals and objectives.\nThe revised process developed by DIRM and the Technical Committee reflects a substantial\nimprovement in IT planning for the FDIC because it considers the merits of projects based on\ntheir ability to address the Corporation\xe2\x80\x99s strategic business goals and objectives.\n\nWhile the FDIC made significant strides in its IT planning process this year, some portions of the\nprocess can be strengthened. We observed that in 1999 and prior years, program offices\nreallocated funds for IT projects within their program areas without the prior approval of the\nTechnical Committee. Additionally, these reallocations were based on divisional, rather than\ncorporate, priorities. For example, in June 1999 DOF identified six IT projects with a projected\nsurplus of approximately $1.4 million. DOF reallocated approximately $1.1 million of the $1.4\nmillion to three other DOF projects and offered the remaining $313,100 to the Division of\nResolutions and Receiverships (DRR) for IT projects that needed additional funding. While\nDOF is to be commended for advising the Technical Committee of these reallocations, the\nnotification was for informational purposes only. There was no requirement for DOF or any\nother division to obtain prior approval of fund reallocations from the Technical Committee. In\naddition, the reallocation of funds among the DOF projects and the transfer of $313,100 to DRR\nwere not based on a review of FDIC\xe2\x80\x99s IT needs from a corporate perspective. Rather, the\nreallocations were based on divisional perspectives.\n\nGPRA and the Clinger-Cohen Act underscore the need for an IT investment decision-making\nprocess that addresses the strategic goals and objectives of an organization as a whole. Clinger-\nCohen requires agencies to establish sound investment review processes for selecting, controlling\nand evaluating IT investments. According to Clinger-Cohen, IT managers should work with\nsenior agency management to ensure that IT is effective and that it achieves the agency\xe2\x80\x99s\nstrategic goals, objectives, and mission. GPRA requires agencies to establish strategic business\ngoals and objectives and to measure how program activities accomplish those goals and\nobjectives. In addition, the FDIC\xe2\x80\x99s own IT Strategic Plan identifies the need to view IT\ninvestments from a corporate-wide perspective to ensure effective IT planning and decision-\nmaking. Key to accomplishing a plan that is prioritized from a corporate perspective is ensuring\nthat any subsequent adjustments or reallocations are also based on corporate, rather than\ndivisional, priorities.\n\nDuring the 1999 planning process for 2000, DIRM and the Technical Committee made\nsignificant progress in prioritizing IT investments from a corporate perspective. Further, during\n2000 the Technical Committee intends to reallocate discretionary funds according to the\nprioritized list developed during the 2000 IT planning process. DIRM and the Technical\nCommittee can further improve IT planning by developing formal policies and procedures to\nensure that fund reallocations for all investment categories, including non-discretionary and\nOther Development, are based on corporate priorities. These policies and procedures should\nensure that any fund reallocations are presented and reviewed from a corporate perspective and\nshould restrict reallocation of funds without the Technical Committee\xe2\x80\x99s approval.\n\n\n\n\n                                                9\n\x0cRecommendation\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(2)    Develop policies and procedures that prescribe the parameters for when reallocations of\n       IT resources require the Technical Committee\xe2\x80\x99s prior approval, to ensure that IT\n       requirements continue to be addressed from a corporate strategic perspective.\n\nProcedures for Categorizing IT Investments Need Improvement\n\nDIRM established procedures for categorizing the FDIC\xe2\x80\x99s IT investments as either discretionary\nor non-discretionary as part of the 2000 IT investment analysis process. DIRM also spent\nconsiderable time during 1999 evaluating the FDIC\xe2\x80\x99s IT investments to ensure that they were\nproperly categorized. However, DIRM can save valuable time during the IT budgeting process\nby building consensus among Technical Committee members regarding how IT investments\nshould be categorized in advance of the actual project scoring and prioritization process.\nAdvance agreement among Technical Committee members regarding IT investment\ncategorizations will minimize unnecessary discussions during the time-sensitive budgeting\nprocess and ensure that only investment items intended for review are prioritized.\n\nValuable time was spent by the Technical Committee during the 2000 IT investment scoring and\nprioritization process discussing the appropriateness of various IT investment categorizations.\nTo illustrate, some Technical Committee members believed that a discretionary IT investment\nvalued at approximately $1.4 million to provide voice telecommunication support for the FDIC\xe2\x80\x99s\nfield offices should have been categorized as non-discretionary because providing voice services\nto the FDIC\xe2\x80\x99s field offices was required pursuant to an agreement negotiated between FDIC\nmanagement and the National Treasury Employees Union. Additionally, several members of the\nTechnical Committee did not agree that a non-discretionary investment valued at about $6.1\nmillion for online data services procured by the FDIC\xe2\x80\x99s library should be part of the IT budget.\nThese members felt that recurring costs for electronic data and related subscriptions were\nservices rather than IT expenses and that these costs should be placed under another part of the\ncorporate budget.\n\nAmbiguity regarding IT investment categorizations also hindered the Technical Committee\xe2\x80\x99s\nability to evaluate approximately $1.9 million in discretionary IT requirements. DIRM notified\nthe Technical Committee on September 16, 1999 that it had misclassified discretionary items\ntotaling $1.9 million as non-discretionary. Because the Technical Committee had already\nevaluated and prioritized the FDIC\xe2\x80\x99s discretionary IT investments and time was limited, the\nTechnical Committee did not have an opportunity to evaluate the $1.9 million from a corporate\nperspective.\n\nDIRM can help ensure that the Technical Committee develops a strategically-focused IT budget\nthat prioritizes investments from a corporate perspective by improving IT investment\ncategorizations before the annual project scoring and prioritization process begins. Improved\nprocedures for categorizing IT investments will also provide members of the Technical\nCommittee with the confidence that IT expenditures classified as non-discretionary are, in fact,\nnecessary.\n\n                                               10\n\x0cRecommendation\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(3)    Work with members of the Technical Committee to improve existing procedures for\n       categorizing IT investments as either discretionary or non-discretionary before the IT\n       investment analysis process begins.\n\nProcedures Needed to Prioritize \xe2\x80\x9cOther Development\xe2\x80\x9d Spending\n\nAs mentioned earlier, the FDIC had developed improved procedures for prioritizing\ndiscretionary IT spending. However, the FDIC can more strategically align its IT spending with\nthe business goals and objectives of the Corporation by also developing plans to formally\nevaluate and prioritize IT investments categorized as Other Development. DIRM has defined\ninvestments in Other Development as discretionary expenditures in new or existing systems that\nindividually are estimated to cost less than $200,000.\n\nThe Technical Committee funded 23 Other Development projects4 with a total value of\napproximately $12 million for 2000. This amount represented an increase of about $6.6 million\n(123 percent) over the approximate $5.4 million that FDIC invested in Other Development for\n1999. The Technical Committee had not projected what Other Development spending might be\nin 2001 or beyond. The $12 million budget for Other Development represented approximately\n21 percent of the $58 million total discretionary budget for 2000. The Other Development\nbudget of $12 million was also equal in value to the projected cost of the first 15 unfunded IT\nprojects on the prioritized list developed by the Technical Committee during the IT budget\nprocess.\n\nAlthough the Technical Committee limited Other Development projects to those with budgets\nunder $200,000, it did not formally evaluate specific proposals for Other Development\ninvestments or explore how these investments would support the FDIC\xe2\x80\x99s business goals and\nobjectives. The Technical Committee also did not formally evaluate or prioritize Other\nDevelopment investments because of limited time during the budget preparation process and the\nlarge number of small dollar initiatives that comprised the Other Development category.\n\nTechnical Committee members that we spoke with agreed that controls were needed to ensure\nthat investments in Other Development were strategically aligned with the FDIC\xe2\x80\x99s business goals\nand objectives. Because Other Development projects were not formally reviewed or evaluated,\nthey are susceptible to potential requirements splitting to avoid the established $200,000\nthreshold for formal IT project review and evaluation. In addition, because of the rapidly\ngrowing value of investments categorized as Other Development, we believe that procedures\ndeveloped by the Technical Committee should ensure that Other Development projects are fully\nevaluated and prioritized. Efforts to evaluate and prioritize Other Development spending should\nbe commensurate with the dollar value of the individual initiatives.\n4\n  The 23 Other Development projects included in the 2000 IT budget contained over 100 separate\ninitiatives valued at under $200,000 each.\n\n                                                  11\n\x0cRecommendation\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(4)    Develop plans to formally evaluate and prioritize IT investments categorized as \xe2\x80\x9cOther\n       Development.\xe2\x80\x9d\n\n\nIMPROVEMENTS NEEDED IN IT PERFORMANCE MEASUREMENT\nAND REPORTING\n\nThe FDIC has established formal strategic IT goals and objectives in the FDIC IT Strategic Plan.\nHowever, opportunities exist for the FDIC to improve its performance measurement in\naccomplishing these goals and objectives. In addition, DIRM is not reporting overall IT\nperformance information to the IT Council or Technical Committee, as required by the charters\nfor these organizations. Finally, performance indicators used by DIRM to measure and report\nperformance on individual IT projects can be improved.\n\nEvaluating the results of the FDIC\xe2\x80\x99s IT investments is critical to ensuring accountability and\ndetermining the impact that IT has on the FDIC\xe2\x80\x99s business activities and mission. It is also a\nbasic tenet of GPRA. GPRA requires agencies to establish strategic business goals and\nobjectives and to measure how program activities accomplish these goals and objectives. In\naddition, the Clinger-Cohen Act mandates that federal agencies measure the contribution of their\nIT investments to mission results. Performance measurement information is also critical for\nensuring that IT projects are implemented at acceptable costs, within reasonable and expected\ntimeframes, and meet user requirements.\n\nNeed for Overall IT Performance Measurement and Reporting\n\nDIRM and its client divisions and offices established formal strategic IT goals and objectives for\nthe Corporation in the FDIC\xe2\x80\x99s IT Strategic Plan. Developed in early 1998, the IT Strategic Plan\ncontains six major IT goals intended to support the FDIC\xe2\x80\x99s major program areas over the next 3\nto 5 years. The IT Strategic Plan identifies the strategies and initiatives that the FDIC will\npursue to accomplish the six strategic goals. In addition, DIRM established an annual\nperformance plan that describes DIRM\xe2\x80\x99s performance goals and targets for 1999.\n\nAlthough the 1998 IT Strategic Plan identifies six major strategic goals, the FDIC has done little\nto measure its performance in achieving these goals. We noted that only one of the six goals\ncontained in the IT Strategic Plan, remediating the Year 2000 (Y2K) problem, was being\nmeasured and reported to senior management on a routine basis. The FDIC\xe2\x80\x99s progress in\nremediating the Y2K problem was being reported to senior management on a quarterly basis as\npart of an established process for measuring and reporting on goals contained in the\n\n\n\n\n                                                12\n\x0cCorporate Annual Performance Plan.5 Comprehensive briefings on the FDIC\xe2\x80\x99s status of\nimplementing the goals contained in the Corporate Annual Performance Plan were also made to\nthe Corporation\xe2\x80\x99s Operating Committee on a semiannual basis. The five IT goals not being\nmeasured or reported were (1) improving customer satisfaction with application systems, (2)\nreducing corporate costs through the use of IT, (3) managing corporate information, (4)\nproviding a stable IT infrastructure, and (5) improving the efficiency and effectiveness of IT\nmanagement.\n\nThe Technical Committee initially attempted to monitor the FDIC\xe2\x80\x99s overall IT performance in\nJanuary 1997 when it identified 21 key IT projects for special review. These projects were\nselected because of their high visibility and importance to the Corporation. In February 1998,\nthe Technical Committee reduced the number of key projects being monitored from 21 to 11.\nPrior to the initiation of our fieldwork in April 1999, the Technical Committee had discontinued\nmonitoring key IT projects completely.\n\nDIRM management indicated that it discontinued the monitoring effort because the Technical\nCommittee did not find the format of the information to be useful. In addition to being\nvoluminous, the information did not clearly discuss problems or risk areas associated with IT\ninvestments. The Technical Committee\xe2\x80\x99s monitoring of key IT projects did not include\nmeasuring the FDIC\xe2\x80\x99s overall performance in the accomplishment of the six goals contained in\nFDIC\xe2\x80\x99s IT Strategic Plan. During our fieldwork, no overall IT performance measurement\ninformation was being reported by DIRM to the IT Council or Technical Committee.\n\nPerformance measurement is a process whereby an organization objectively and quantifiably\nmeasures how it is accomplishing its goals and objectives through the delivery of products,\nservices, or processes. IT performance measurement encourages managerial accountability by\nlinking information about program outcomes and results to established goals. Effective IT\nperformance measurement serves as an early warning indicator to correct problems. It also\nprovides management and stakeholders with periodic feedback about the quality, quantity, cost,\nand timeliness of IT products and services. Without meaningful performance measurement\ninformation, the FDIC is unable to effectively ensure that its IT investments deliver the benefits\nprojected at the cost and within the timeframes promised. Performance measurement\ninformation is also critical for satisfying the requirements of key IT legislation, including the\nClinger-Cohen Act and GPRA.\n\nMeasuring performance against established goals and objectives is also a basic tenet of GPRA.\nGPRA requires agencies to prepare annual performance plans covering each program activity set\nforth in the budget. The plans are intended to establish performance goals in an objective,\nquantifiable, and measurable format. The plans also identify performance indicators to be used\nin measuring relevant outputs, service levels, and outcomes of each program activity. GPRA\nalso requires that agency heads annually prepare and submit program performance reports,\nsetting forth performance indicators and comparing actual program performance against the\n\n\n5\n The Corporate Annual Performance Plan implements the FDIC Strategic Plan and defines what will be\naccomplished during the year to achieve FDIC\xe2\x80\x99s strategic goals and objectives. The Corporate Annual\nPerformance Plan is augmented by individual division and office plans.\n\n                                                 13\n\x0cperformance goals, to the President and the Congress. Assessing IT performance in support of\nagency programs is also a cornerstone element of the Clinger-Cohen Act.\n\nThe charters of the IT Council and Technical Committee require periodic assessments of the\noverall performance of the FDIC\xe2\x80\x99s IT program and major initiatives. Members of the Technical\nCommittee that we spoke with recognized the need to begin assessing the FDIC\xe2\x80\x99s overall IT\nperformance on a regular basis. In addition, DIRM staff responsible for performing strategic IT\nplanning informed us that they had discontinued reporting performance information to the\nTechnical Committee while they researched alternative performance measurement strategies.\n\nWe believe that DIRM and its client divisions and offices should begin assessing the FDIC\xe2\x80\x99s\nprogress in accomplishing the goals outlined in the IT Strategic Plan as soon as possible. This\ninformation should be provided to the IT Council, Technical Committee, and senior management\nfor assessing the strategic direction and progress of the FDIC\xe2\x80\x99s IT program. Timely\nmeasurement, assessment, and reporting of performance is key to improving future IT decision-\nmaking and ensuring that IT enhances mission performance.\n\nRecommendation\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(5)    Validate the goals and objectives contained in the FDIC\xe2\x80\x99s IT Strategic Plan and begin\n       measuring performance against these goals and objectives. DIRM should report this\n       performance measurement information to the Technical Committee, IT Council, and\n       senior FDIC management.\n\nImprovements Needed in Measuring Performance on Individual IT Projects\n\nDIRM established a centralized process for tracking and reporting critical information on the\nFDIC\xe2\x80\x99s individual IT investments. However, the process needed to be enhanced to provide more\ncomprehensive and meaningful information regarding the performance of these investments.\n\nDIRM representatives responsible for performing strategic IT planning informed us that they\nwere evaluating alternative approaches for measuring progress on individual IT investments and\nfor reporting this information to senior DIRM management and the Technical Committee. One\napproach being considered would alert successively higher levels of DIRM management to\npotential problems, with the Technical Committee becoming involved only when significant\nproblems persist. Comparing completed requirements with project expenditures is another\napproach that the FDIC could employ to measure progress on the FDIC\xe2\x80\x99s IT projects. Effective\nIT performance measurement is embodied in the basic tenants of the Clinger-Cohen Act and\nGPRA. It is also promulgated in GAO and OMB guidelines for managing IT investments.\n\nSenior DIRM management and DIRM project managers that we spoke with indicated that\nperformance measurement information generated by DIRM\xe2\x80\x99s project monitoring process did not\nmeet their needs. In addition, the process did not capture critical information needed to\neffectively measure progress on IT projects, such as program office and life cycle cost data. In\n\n\n                                               14\n\x0caddition, information that compared the progress of implementing actual deliverables with what\nwas promised at the time that a project was approved was also not being captured or reported.\nWithout complete and accurate performance measurement information, DIRM managers did not\nhave the ability to effectively monitor the FDIC\xe2\x80\x99s IT investments or identify potential problems\nin a timely manner.\n\nThe centralized process that DIRM used to track critical IT project information, such as project\nstatus, budget, expenditure, and schedule data, was maintained in a centralized Lotus Notes6\ndatabase. DIRM project managers periodically updated the Lotus Notes database to reflect the\ncurrent status and schedule of their projects. An interface with the DIRM Budget Support\nSystem also allowed the database to track DIRM\xe2\x80\x99s budget and expenditure information for each\nIT project. Standard reports generated from the Lotus Notes database also reported the status of\nprojects and identified projects with significant deviations between planned and actual\nexpenditures and milestone dates.\n\nAlthough the Lotus Notes database contained useful information about the FDIC\xe2\x80\x99s IT projects, it\ndid not provide complete and comprehensive information regarding the progress of these\nprojects. DIRM project managers that we spoke with did not use the Lotus Notes database to\nmanage their IT projects because the data was not detailed enough, and expenditure information\nwas not current. In addition, the Lotus Notes database did not maintain a history of changes that\nwere made to IT project schedules and budgets or the reasons why these changes were made.\n\nDIRM project managers stated that standard exception reports generated by the Lotus Notes\ndatabase relating to expenditures were sometimes misleading and were not a meaningful tool for\nmeasuring progress on their IT projects. One such report identified IT projects that were over\nbudget by comparing a project\xe2\x80\x99s annual budget to its actual expenditures. Deviations of 50\npercent or more between a project\xe2\x80\x99s budget and actual expenditures were flagged as a potential\nproblem. However, budget figures were not adjusted in a timely manner when projects were\nstarted earlier or later than originally planned. Accordingly, the comparison of original budgeted\namounts to actual expenditures that were experienced over a longer or shorter period of time\nsometimes resulted in the incorrect reporting of significant over-budget or under-budget\nsituations. This caused some IT projects to be flagged for potential budget problems when, in\nfact, they did not have any.\n\nThe 50-percent budget deviation threshold established by DIRM was, in our opinion, too high.\nUse of such a high threshold would detect problems after they occur rather than providing\nadvance information to allow for more immediate management action. In addition, the Lotus\nNotes database did not generate standard exception reports for all IT project categories. For\nexample, maintenance projects, which represented approximately $35 million, or 17 percent, of\nthe FDIC\xe2\x80\x99s $211 million IT budget for 1999, were not monitored by the Lotus Notes database for\nschedule, budget, or expenditure variances. DIRM project managers informed us that they used\nother tools to manage and track progress on their IT projects, including Microsoft Project and\ndetailed budget reports. Senior DIRM management agreed that the standard exception reports\ngenerated by the Lotus Notes database were not an effective indicator of progress on the FDIC\xe2\x80\x99s\n\n6\n    Lotus Notes is a registered trademark of Lotus Development Corporation.\n\n\n                                                    15\n\x0cIT investments. Senior management indicated that the system incorrectly flagged many projects\nas experiencing problems and, therefore, was not reliable or useful.\n\nProgram office costs incurred in connection with IT projects were also not being consistently\nrecorded, tracked, or reported. In many cases, the program offices involvement and costs were\nsignificant. DIRM generated monthly reports from the Financial Information Management\nSystem (FIMS) that identified program office hours charged to specific IT projects and provided\nthese reports to members of the Technical Committee. However, most members of the Technical\nCommittee informed us that they did not use these reports because they did not translate program\noffice hours into financial terms and the reports did not combine or associate the program\ncharges with the appropriate DIRM projects. Members of the Technical Committee also\ninformed us that program offices were not consistently charging hours to IT projects. As a\nresult, program office cost data generated by FIMS may be incomplete.\n\nIn addition, we noted that full life cycle (i.e., inception-to-date) cost data was not being tracked\nor reported on IT projects. DIRM developed the capability to track its expenditures and\ncommitments against approved IT budgets in 1997 using a Lotus Notes database. The Lotus\nNotes database reported on year-to-date DIRM expenditures. In 1998, DIRM enhanced the\nLotus Notes database to also report on year-end costs for the immediately preceding year. For\nprojects that were ongoing in more than 2 calendar years, only the most current year-to-date and\nprevious year\xe2\x80\x99s DIRM costs were reported. The database was used primarily to ensure that\nDIRM\'s current annual budgets for IT projects were not exceeded.\n\nIn 1997 DIRM implemented a comprehensive process to ensure that all DIRM personnel and\ncontractor costs are charged to a valid IT project code, including new systems development,\nmaintenance, and other development. DIRM implemented the referenced process as a control\nfor ensuring that all costs are accurately charged to a valid project code. Each month, DIRM\ngenerates detailed reports from FIMS that identify the personnel, contract, and other charges\nmade to all IT project numbers. DIRM\xe2\x80\x99s Fiscal Management Section screens the FIMS reports\nto ensure that valid project numbers are charged for all costs. Detailed reports of all charges to\nproject numbers are then sent to DIRM project managers to ensure that all charges are valid and\naccurately recorded.\n\nDIRM had implemented an effective process to ensure that all DIRM personnel and contractor\ncosts were charged to valid IT projects. However, similar controls are needed to ensure that\nprogram office and non-DIRM contract costs are also tracked and reported against the IT project\nnumbers they relate to. Unless full life cycle cost data is tracked, analyzed, and reported, its\nbenefit to the FDIC\'s management decision-making process is limited. While the Lotus Notes\ndatabase provides useful DIRM cost information, it would be more beneficial if complete life\ncycle costs, including program office costs, were tracked.\n\nWe reported on the need to track and report program office and full life cycle costs in an OIG\nreport entitled Audit of FDIC Resource and Cost Tracking Systems for Information Systems\nProjects (Audit Report No. 98-019), dated February 27, 1998. We recommended in this report\nthat DIRM and the Division of Finance (DOF) work with representatives of the FDIC\'s program\noffices to develop a capability to track and report total costs associated with IT projects,\n\n\n                                                 16\n\x0cincluding program office costs. We also recommended that DIRM begin tracking and reporting\nfull life cycle costs on all IT projects.\n\nIn response to these recommendations, DIRM and DOF management agreed to implement a pilot\nprogram to track total life cycle costs in one division, DOF. Based on the results of the pilot and\nthe FDIC\xe2\x80\x99s adoption of new capital accounting procedures in 1999, DOF issued formal\nprocedures requiring all divisions and offices to begin recording and tracking full life cycle costs\non IT projects in 1999. However, the FDIC has not yet implemented effective controls to ensure\nthat program offices charged costs to the appropriate IT project code. Technical Committee\nmembers and DIRM management officials that we interviewed indicated that program offices\nwere not consistently charging IT projects with program office personnel and other costs such as\ntravel and training. In addition, the FDIC was not yet tracking and reporting all life cycle costs\nfor IT projects.\n\nIn our opinion, the Chief Financial Officer should consider implementing corporate-wide\ncontrols similar to those instituted by DIRM to ensure that all IT costs are charged to the\nappropriate IT project code. In addition, DIRM needs to implement a tracking system that\ncaptures all life cycle costs for IT projects and that regularly compares actual costs and progress\nto date with approved budgets and timelines for implementation.\n\nIf life cycle program office costs are accumulated along with DIRM IT expenditures and\nreported to senior management, the information can provide additional benefits to the FDIC\xe2\x80\x99s IT\ndecision-making processes. Full life cycle cost data is a necessary component of any successful\nperformance measurement and post-implementation review program. In addition, the Clinger-\nCohen Act requires agencies to establish processes that ensure IT projects are being implemented\nat acceptable costs, within reasonable and expected time frames, and are contributing to tangible,\nobservable improvements in mission performance. Moreover, these agency processes should be\ninstitutionalized throughout the organization and should be used for all IT-related decisions. The\nFDIC IT Strategic Plan also cites expanding IT cost accounting to include total corporate costs as\na good management practice. Accordingly, we are reiterating our recommendation to track and\nreport full life cycle costs on IT projects, including program office costs.\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(6)    Work with the Technical Committee to establish a centralized process for measuring\n       performance on individual IT investments and report this information on a routine basis\n       to senior DIRM management and the Technical Committee.\n\n\n\n\n                                                 17\n\x0cWe recommend that the Chief Financial Officer:\n\n(7)    Work with the FDIC\xe2\x80\x99s divisions and program offices to ensure that full life cycle costs\n       associated with the FDIC\xe2\x80\x99s IT investments, including program office costs, are tracked,\n       reported, and compared to initial estimates.\n\nOpportunities for Improvements in the Post Implementation Review Process\n\nDIRM implemented a Post Implementation Review (PIR) program with the objective of\nassessing the quality of its system development projects and improving overall IT investment\nmanagement. The PIR program was designed to provide a wide range of information on product\nquality, customer satisfaction, and project management capability to develop a corporate-wide\nperspective for process improvement.\n\nWe performed a limited evaluation of the PIR methodology and have several observations and\nrecommendations where we believe there are opportunities for improvement. We were unable to\ncomplete a more comprehensive evaluation of the PIR program because of its relatively recent\nimplementation and the fact that few reviews have been completed. We plan to schedule a more\ncomprehensive evaluation of the PIR process after the FDIC has had an opportunity to complete\nmore reviews.\n\nThe improvements that we believe can be made relate to better ensuring the independence and\nobjectivity of the PIR teams, limiting the PIR process to one level or type of review, and\nensuring that all life cycle costs are tracked. In addition, improvements can be made by\ndeveloping PIR procedures that require a more detailed analysis and presentation of cost,\nschedule, and requirements projections.\n\nDIRM planned to complete 10 PIRs during 1999. Eight of the reviews planned for 1999 were\nincomplete at the time of our review. One additional review was completed that was not\nincluded on the list of planned 1999 PIR reviews. While 6 PIRs had been completed since the\ninception of the program in 1998, 3 were pilots completed by DIRM and its clients, with\noversight provided by DIRM\xe2\x80\x99s IT Evaluation Section. Of the 3 other reviews that were\ncompleted, one deviated from normal PIR evaluation procedures by excluding input from a\nstatistically valid sampling of users. DIRM officials stated that the review related to a DOS\napplication that was scheduled for a second PIR by year-end 1999. DOS and DCA clients\nexpressed concern about the potential examiner response burden associated with two surveys of\nthe same system in the same year, especially in light of Y2K considerations.\n\nWe interviewed DIRM management officials that were involved with the PIR program and\nDIRM project managers. Based on the interviews, we determined that PIR teams sometimes\nincluded individuals that were also involved in the development project. In addition, in at least\nfour instances, PIR team members, although not directly associated with the project that was\nreviewed, worked for the DIRM project manager responsible for the project being reviewed.\nThis team composition is not in accordance with basic internal controls dealing with separation\n\n\n\n\n                                                18\n\x0cof responsibility and could impact the reliability of the results because of questions that could be\nraised about the objectivity and independence of the team members.\n\nParagraph 1.4.5 of the PIR Methodology Manual states that DIRM and Program Office team\nmembers should not be selected from the same sections that were responsible for the project. In\nour opinion, this language should be strengthened to require that PIR team members not be\nselected from sections involved in the project.\n\nDIRM\xe2\x80\x99s PIR Methodology Manual provided for three different types of PIR reviews. A Level I\nPIR evaluated projects while they were in process and involved a review of requirements through\ndesign. A Level II review evaluated projects shortly after implementation while a Level III\nreview designated an evaluation 9 \xe2\x80\x93 12 months after implementation. DIRM management\nofficials stated that the Level I PIR review was eliminated during the period of March through\nJune 1999. We believe that DIRM could make more efficient use of limited resources if they\nlimited the PIR process to one type of review rather than the multiple levels of review that are\nnow included in the PIR Methodology Manual. Also, while PIR procedures required a\ncomparison of original cost and schedule projections with actual figures, it was not possible to\naccurately make such comparisons, because the FDIC did not track total life cycle costs\n(including program office costs). Although program office and other non-DIRM cost projections\nwere included in original budget estimates, these cost elements were not tracked. Accordingly,\nthis analysis provided limited benefits. The PIR process could also be enhanced if information\nwas included in the PIR report that illustrated when cost and schedule overruns occurred, if and\nwhen they were approved, and the reason for the change.\n\nBased on our review of the 6 PIR reports that DIRM completed at the time of our review, we\nbelieve there is a need for a more comprehensive analysis and presentation of cost, schedule, and\ndeliverables. The PIR reports we reviewed did contain some summary information that\ncompared final DIRM cost and schedule information with original projections. However, we\nbelieve the PIR reports could be more useful if a more detailed presentation was provided that\ncompared functional requirements with what was actually delivered. User questionnaires and\ninterviews with program office staff can be useful in determining whether users are satisfied and\nwhether they believe their needs were satisfied. However, an independent evaluation is needed\nthat compares what was originally required/promised to what was ultimately delivered to\ndetermine if all requirements were satisfied. Users asked about their satisfaction with the system\ndelivered may not know what the original requirements were at the time of project approval.\n\nAccordingly, we believe the PIR procedures manual and handbooks need to be expanded to\nprovide for a more comprehensive analysis and presentation of life cycle costs, schedule, and\nrequirements that were projected at the time a project was originally approved by senior\nmanagement. In addition, the PIR report should identify approved changes to the cost, schedule,\nand requirements that occurred throughout development. The Technical Committee and DIRM\nneed this information to identify problem projects and ultimately the cause so that similar\nproblems can be avoided or addressed in the future.\n\n\n\n\n                                                 19\n\x0cThe PIR final report should provide a comprehensive comparison of final actual cost, delivery\ndate, and functionality delivered to what was originally projected. In our view, absent this type\nof analysis and information, it is not possible to make a reliable determination of whether the\nsystem that was delivered is what was promised and whether it was delivered for the cost and\nwithin the timeframe originally promised.\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management and CIO:\n\n(8)    Work with the Technical Committee to implement procedures that ensure individuals\n       performing PIR reviews are not involved with the development of the project and are\n       not supervised by anyone that was involved with the project that is being reviewed.\n\n(9)    Consult with the Technical Committee and consider changing PIR procedures so that\n       there is only one type of PIR review conducted after a system has been fully implemented\n       and has been operational for a period of time.\n\n(10)   Work with the Technical Committee to implement procedures that require the PIR\n       process to include more comprehensive information in the final PIR report regarding a\n       comparison of original and final cost and schedule information. The PIR report should\n       also provide explanations for changes that occurred and for differences between actual\n       and approved budgets, schedules, and deliverables.\n\n\nCONCLUSION\n\nThe FDIC has made significant progress towards improving the investment analysis and post-\nimplementation review process for IT investments. The improvements suggested in this report\nare designed to further enhance many of the improvements that the FDIC has already initiated.\nOur recommendations should enable the Corporation to better ensure that scarce IT resources are\ninvested in the projects that help the Corporation achieve its most critical strategic business\nobjectives. In addition, improvements suggested in the performance measurement and post-\nimplementation review process will ensure that critical information is available to measure\nperformance and establish accountability for the effective and efficient consumption of IT\nresources.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn March 23, 2000 the Director, DIRM provided a written response to the draft report. The DIRM\nDirector responded to recommendations 1-6 and 8-10. Recommendation 7 in the draft report was\naddressed to the Chief Financial Officer (CFO). The Director, Division of Finance (DOF), provided\na written response through the CFO to recommendation 7, on March 30, 2000. The DIRM\nDirector\xe2\x80\x99s response is presented in Appendix I of this report and the DOF/CFO response is presented\nin Appendix II. The Director, DIRM and the DOF/CFO agreed with the recommendations\n\n\n                                                20\n\x0caddressed to each of their respective organizations. A summary of DIRM\xe2\x80\x99s and the CFO\xe2\x80\x99s responses\nto the recommendations contained in this report follows.\n\nRegarding recommendation 1, the Director, DIRM stated that the IT Technical Committee and\nvarious subcommittees are pursuing improvement of the investment analysis process. These\nimprovements include better integration of IT planning and corporate business planning, better\ntiming of IT planning activities, and enhanced project type definitions.\n\nThe DIRM Director also agreed with recommendation 2 and indicated that DIRM had\nundertaken steps to implement IT budget reallocations in a standardized, business-focused\nmanner. The IT Technical Committee will review requests for funding, along with opportunities\nto reallocate funds, during April and July each year. The reallocation decisions will focus on\nitems on the ranked list developed as part of the prior year\xe2\x80\x99s planning effort, along with special\nrequests for new or increased funding.\n\nConcerning recommendation 3, DIRM stated that it has undertaken work through the IT\nTechnical Committee to implement the recommendation. An IT Technical Committee\nsubcommittee has reviewed both the definitions and handling of the various project types. The\nCommittee\xe2\x80\x99s preliminary recommendations were presented on March 2, 2000 to the IT Technical\nCommittee. Committee input is being solicited and final procedures for categorizing IT\ninvestments will be developed later in 2000, in time to support IT planning for 2001.\n\nRegarding recommendation 4, DIRM responded that the IT Technical Committee has formed a\nsubcommittee that will formulate recommendations for improved evaluation of \xe2\x80\x9cOther\nDevelopment\xe2\x80\x9d to ensure that this category of projects is dealt with appropriately.\n\nPertaining to recommendation 5, DIRM stated it was identifying performance indicators that\nprovide information on DIRM\xe2\x80\x99s progress in achieving IT strategic goals and objectives.\nInformation from these indicators will serve as the basis to develop a performance measurement\nprogram to improve IT practices, environments, and services; to identify risk areas; and to\nidentify future measurable goals and objectives.\n\nIn its response to recommendation 6, DIRM stated it began providing the IT Technical\nCommittee monthly financial status reports for IT projects in March 2000 to provide the\ninformation needed to support its ongoing monitoring of IT projects.\n\nRegarding recommendation 7, DOF and the CFO proposed an interim solution to address the\nrecommendation until a long-term solution could be implemented through a financial\nmodernization project that is currently underway. As an interim measure, DOF will initiate a\nprogram in conjunction with DIRM to collect budgets and expenses for development projects,\nusing DIRM\xe2\x80\x99s project based version of Pillar for the 2001 budget formulation.\n\n\n\n\n                                                21\n\x0cRecommendations 8 through 10 relate to opportunities for streamlining and improving the PIR\nprocess. DIRM responded that it agreed with each recommendation. DIRM stated IT would\nrecommend the suggested changes in the methodology to the IT Technical Committee. If\napproved, DIRM said IT would make the necessary documentation changes.\n\nThe Corporation\xe2\x80\x99s response to the draft report provides the elements necessary for management\ndecisions on each of the report\xe2\x80\x99s recommendations. Accordingly, no further response to this\nreport is required.\n\n\n\n\n                                              22\n\x0cFederal Deposit Insurance Corporation                                                     APPENDIX I\n3501 North Fairfax Dr., Arlington, VA 22226                          Division of Information Resources Management\n\n                                                    March 23, 2000\n\n\n\nTO:                   David H. Loewenstein\n                      Assistant Inspector General\n\n\n\n\nFROM:                 Donald C. Demitros, Director and Chief Information Officer\n\nSUBJECT:              DIRM Management Response to the Draft OIG Report Entitled, "Audit of the\n                      FDIC\'s Strategic Planning for Information Technology Resources\n                      (Audit No. 99-902)\n\nThe Division of Information Resources Management (DIRM) has reviewed the draft audit report\nand, in general, agrees with the findings and recommendations. Responses to each of the OIG\'s\nspecific recommendations are provided as Attachment 1. The recommendation pertaining to the\nChief Financial Officer (CFO) is being addressed under separate cover by the CFO.\n\nPlease address any questions to DIRM\'s Audit Liaison, Rack Campbell, on (703) 516-1422.\n\nAttachment\n\n\n\n\n                                                      23\n\x0cSIGNIFICANT PROGRESS MADE ON FDIC\'S IT INVESTMENT ANALYSIS\nPROCESS, ADDITIONAL OPPORTUNITIES FOR IMPROVEMENTS EXIST\n\n\nRecommendations\n\nLong-Range Strategic Planning Can Enhance FDIC\'s IT Decision-making\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(1)   Work with the Technical Committee to implement a long-range strategic IT\n      planning process that would provide the Committee the opportunity to become\n      more involved in evaluating major components of the FDIC\'s annual IT budget at\n      an earlier point in time.\n\n      Corrective Action: In 1999 DIRM implemented a successful investment\n      analysis process. This process is based on client-developed IT strategies related\n      to business activities, goals, and priorities. During the investment analysis\n      process, FDIC divisions developed their respective IT strategies and briefed both\n      the IT Technical Committee and key DIRM staff about their strategies. This\n      activity provided the foundation for development of data, application and\n      technical strategies, as well as for analysis of specific investments. The timing of\n      this important foundation work was delayed in 1999 by the time required to\n      define and gain senior FDIC management approval of the process. The need to\n      begin the process earlier in future years was generally recognized at that time.\n\n      During June and July 1999, the client IT strategies and the DIRM-developed data,\n      application, and technical strategies were used as the basis for defining a variety of\n      application and technical initiatives to be proposed for the 2000 IT budget. During\n      the project evaluation process, it became apparent that more time was needed for IT\n      Technical Committee members to assimilate and understand all the IT budget\n      information.\n\n      In order to allow the IT Technical Committee more time to understand all elements\n      of the IT budget, DIRM is pursuing two types of improvements during 2000. To\n      improve the IT Technical Committee\xe2\x80\x99s understanding of the IT operating budget,\n      DIRM has initiated briefings on technical operations. These briefings, which began\n      in February and will continue as needed through the Spring, are focused on ensuring\n      that the IT Technical Committee members understand what constitutes the various\n      types of operations. These briefings also will provide the foundation for\n      development, in 2000 and later years, appropriate service level agreements that will\n      ensure that operational activities and their attendant costs are properly focused.\n\n\n\n\n                                            24\n\x0c      The IT Technical Committee is taking positive steps to improve the investment\n      analysis and allow for more review by members. Ongoing discussions within the\n      Committee and in various subcommittees are pursuing improvement of the\n      investment analysis process. These steps include better integration of IT planning\n      and corporate business planning, better timing of IT planning activities, and\n      enhanced project type definitions (along with improvements in how projects are\n      determined to be discretionary and non-discretionary). The revised processes will be\n      described in the instructions provided to DIRM staff at the start of the 2001 budget\n      formulation cycle. Taken together these improvements should result in\n      improvements in both the IT Technical Committee\xe2\x80\x99s ability and time to evaluate\n      investments and the quality of that evaluation.\n\n      Planned Corrective Action: June 30, 2000\n\nBetter Controls Needed Regarding Reallocation of Funds for Approved IT Projects\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(2)   Develop policies and procedures that prescribe the parameters for when\n      reallocation of IT resources require the Technical Committee\'s prior approval, to\n      ensure that IT requirements continue to be addressed from a corporate strategic\n      perspective.\n\n      Corrective Action: DIRM agrees with the recommendation and had previously\n      undertaken steps to implement budget reallocation in a standardized, business-\n      focused manner. Essentially, the IT Technical Committee will review requests for\n      funding, along with opportunities to reallocate funds, during April and July each\n      year. The reallocation decisions will focus on items on the ranked list developed\n      as part of the prior year\xe2\x80\x99s planning effort, along with special requests for new or\n      increased funding. The procedures for this effort will be complete and tested\n      during the reallocation in April 2000. They will then be refined, if necessary, for\n      use in subsequent reallocations.\n\n      Planned Corrective Action: July 15, 2000\n\nProcedures for Categorizing IT Investments Need Improvement\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(3)   Work with members of the Technical Committee to improve existing procedures\n      for categorizing IT investments as either discretionary or non-discretionary before\n      the IT investment analysis process begins.\n\n\n\n                                          25\n\x0c      Corrective Action: DIRM agrees with the recommendation and has undertaken\n      work through the IT Technical Committee to achieve this goal. An IT Technical\n      Committee subcommittee has reviewed both the definitions and handling of the\n      various project types. Their preliminary recommendations were presented on\n      March 2 to the IT Technical Committee. Committee input is being solicited and\n      final procedures for categorizing IT investments will be developed later this year,\n      in time to support IT planning for 2001.\n\n      Planned Corrective Action: June 30, 2000\n\n\nProcedures Needed to Prioritize Other Development Spending\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(4)   Develop plans to formally evaluate and prioritize IT investments categorized as\n      Other Development.\n\n      Corrective Action: DIRM agrees with the OIG\xe2\x80\x99s concern about the amount of\n      funding devoted to \xe2\x80\x9cOther Development\xe2\x80\x9d projects in 2000 without benefit of\n      ranking or other meaningful IT Technical Committee evaluation. The\n      subcommittee activity noted above includes recommendations for improved\n      evaluation of "Other Development" to ensure that this category of projects is dealt\n      with appropriately.\n\n      Planned Corrective Action: June 30, 2000\n\n\nIMPROVEMENTS NEEDED IN IT PERFORMANCE MEASUREMENT AND\nREPORTING\n\n\nRecommendations\n\nNeed for Overall IT Performance Measurement and Reporting\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(5)   Validate the goals and objectives contained in the FDIC\'s IT Strategic Plan and\n      begin measuring performance against these goals and objectives. DIRM should\n      report this performance measurement information to the Technical Committee, IT\n      Council, and senior FDIC management.\n\n\n\n\n                                          26\n\x0c      Corrective Action: DIRM agrees with the recommendation. DIRM currently\n      publishes a long range (five-year) IT Strategic Plan. In February, the DIRM\n      Principal Staff met to draft updates to the IT goals and objectives that are key to the\n      Plan. These will be completed in late March.\n\n      DIRM also is identifying performance indicators that provide information on\n      DIRM\'s progress in achieving IT Strategic Goals and Objectives. Information\n      about these indicators will serve as the basis to develop a performance\n      measurement program to improve IT practices, environments and services; to\n      identify risk areas; and to identify future measurable goals and objectives. Once\n      developed, the performance measurement information will be provided to the IT\n      Technical Committee on a regular basis.\n\n      DIRM Principal Staff will meet in May 2000 to establish a plan to improve\n      performance indicators for the 2000 IT Strategic Goals and to provide direction for\n      establishing a long term plan for an effective performance measurement program.\n\n      Planned Corrective Action: January 31, 2001\n\nImprovements Needed in Measuring Performance on Individual IT Projects\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(6)   Work with the Technical Committee to establish a centralized process for\n      measuring performance on individual IT investment and report this information\n      on a routine basis to senior DIRM management and the Technical Committee.\n\n      Corrective Action Completed: DIRM agrees with the recommendation. DIRM\n      continues to work with the IT Technical Committee to provide the information\n      that they need to support their ongoing monitoring of IT projects. Improvements\n      already in place include the provision of monthly financial status reports\n      (available as of March 2000) for IT projects. The IT Technical Committee also\n      has access to status reports on each of the ongoing initiatives and can review these\n      at any time using the Client IT Plan Lotus Notes application. Both the financial\n      and initiatives status reports will provide essential information for addressing the\n      reallocation of funds in April and July each year.\n\n\n\n\n                                            27\n\x0c       We recommend that the Chief Financial Officer:\n\n(7)    Work with the FDIC\xe2\x80\x99s divisions and program offices to ensure that full life cycle\n       costs associated with the FDIC\xe2\x80\x99s IT investments, including program office costs, are\n       tracked, reported, and compared to initial estimates.\n\n       Planned Corrective Action: CFO will respond to this recommendation under\n       separate cover.\n\nOpportunities for Improvements in the Post Implementation Review Process\n\nWe recommend that the Director, Division of Information Resources Management and\nCIO:\n\n(8)    Work with the Technical Committee to implement procedures that ensure\n       individuals performing PIR reviews are not involved in the development of the\n       project and are not supervised by anyone that was involved with the project that is\n       being reviewed.\n\n       Corrective Action: DIRM agrees with the recommendation. DIRM will\n       recommend this change in the methodology to the Technical Committee. If\n       approved, DIRM will make the necessary documentation changes and issue a\n       memorandum to DIRM Application Systems Management and all Program\n       Managers reinforcing this revision by June 30, 2000.\n\n       Planned Corrective Action: June 30, 2000\n\n\n(9)    Consult with the Technical Committee and consider changing PIR procedures so\n       that there is only one type of PIR review conducted after a system has been fully\n       implemented and has been operational for a period of time.\n\n       Corrective Action: DIRM agrees with the recommendation. DIRM will\n       recommend this change to the Technical Committee. If approved, DIRM will\n       make the necessary documentation and program changes by March 31, 2001 for\n       the 2001 cycle of PIRs.\n\n       Planned Corrective Action: March 31, 2001\n\n\n(10)   Work with the Technical Committee to implement procedures that require the PIR\n       process to include more comprehensive information in the final PIR report\n       regarding a comparison of original and final cost and schedule information. The\n       PIR report should also provide explanations for changes that occurred and for the\n       differences between actual and approved budgets, schedules and deliverables.\n\n\n\n                                            28\n\x0cCorrective Action: DIRM agrees with the recommendation. DIRM will add\nmore comprehensive information in the final PIR reports with regard to original\nand final cost and scheduled information as that information becomes available.\nDIRM\xe2\x80\x99s ability to include total life cycle cost data is solely dependent upon the\navailability of that data, particularly client costs. The results of actions taken to\naddress recommendation #7 will determine the extent to which DIRM can\nincorporate this information into the PIR analysis and reporting. As direction is\nestablished by the CFO to address the availability of total life cycle cost data,\nDIRM will work with its clients to ensure the inclusion of this data into the PIR\nprogram.\n\n\n\n\n                                      29\n\x0c                                                                                         APPENDIX II\nFederal Deposit Insurance Corporation\n550 17th Street, NW, Washington, DC 20429                                                    Division of Finance\n\n\n                                                              March 30, 2000\n\nMEMORANDUM TO:                          David H. Loewenstein\n                                        Assistant Inspector General\n\n\n\n\nTHROUGH:                                Chris Sale\n                                        Deputy to the Chairman and Chief Financial Officer\n\n\n\nFROM:                                   Fred Selby\n                                        Director, Division of Finance\n\nSUBJECT:                                Draft Report Entitled Audit of the FDIC\xe2\x80\x99s Strategic Planning for\n                                        Information Technology Resources (Audit No. 99-902)\n\nThe Chief Financial Officer agrees with recommendation number 7 that we work with the\nFDIC\xe2\x80\x99s business units to ensure that full life cycle costs associated with FDIC\xe2\x80\x99s IT investments,\nincluding program office costs, are tracked, reported, and compared to initial estimates. The\nDivision of Finance (DOF) is currently working on a long-term financial modernization project.\nThe results of that project will address a permanent solution to this audit finding.\n\nIn the interim, DOF has facilitated, through project number guidance, the recording of lifecycle\nexpenditures. This currently provides a means to capture the costs when they are recorded\nthroughout the FDIC. For Budget Year 2001, as a further interim step, DOF will initiate a\nprogram in conjunction with the Division of Information and Resource Management (DIRM) to\ncollect budgets and expenses for development projects. It is anticipated that DIRM\xe2\x80\x99s project\nbased version of Pillar will be utilized for 2001 budget formulation and reporting for\ndevelopment projects for the entire Corporation.\n\nWe thank you for the opportunity to respond and we appreciate the interest and work of the OIG\nin this area.\n\nConcur:\n\n\n\n\nDonald C. Demitros                                Date\nDirector, Division of Information Resources Management and\n Chief Information Officer\n\n\n                                                         30\n\x0c                                                                                                                                                        APPENDIX III\n                                                     MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report on the status of management decisions on its recommendations in its semiannual reports to\nthe Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are necessary. First, the\nresponse must describe for each recommendation\n\n     \xe2\x80\xa2 the specific corrective actions already taken, if applicable;\n\n     \xe2\x80\xa2 corrective actions to be taken together with the expected completion dates for their implementation; and\n\n     \xe2\x80\xa2 documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any disagreement.\nIn the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\n\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming\ncompletion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information for\nmanagement decisions is based on management\'s written response to our report and subsequent discussions with management representatives.\n\n                                                                                            Expected     Documentation That                Management\n   Rec.                                                                                    Completion      Will Confirm Final   Monetary    Decision:\n  Number               Corrective Action: Taken or Planned / Status                           Date               Action         Benefits    Yes or No\n            Management stated that the IT Technical Committee is taking positive             6/30/00    Instructions provided    N/A          Yes\n            steps to improve the investment analysis and allow for more review by                            to DIRM staff\n     1      members. Ongoing discussions within the Committee and in various                             describing revisions\n            subcommittees are pursuing improvement of the investment analysis                             to the 2001 budget\n            process. These steps include better integration of IT planning and                          formulation process.\n            corporate business planning, better timing of IT planning activities, and\n            enhanced project type definitions. The revised process will be described in\n            the instructions provided to DIRM staff at the start of the 2001 budget\n            formulation cycle.\n\n\n\n\n                                                                                          31\n\x0c                                                                                           Expected        Documentation That                 Management\n Rec.                                                                                     Completion        Will Confirm Final     Monetary    Decision:\nNumber          Corrective Action: Taken or Planned / Status                                 Date                  Action          Benefits    Yes or No\n         Management agreed with the recommendation.                                         7/15/00         Issuance of new         N/A          Yes\n                                                                                                             procedures that\n 2       DIRM indicated that it had undertaken steps to implement budget                                      describe and\n         reallocation in a standardized, business-focused manner. The IT Technical                         document how the\n         Committee will review requests for funding, along with opportunities to                           referenced process\n         reallocate funds, during April and July each year. The reallocation                                 will take place.\n         decisions will focus on items on the ranked list developed as part of the\n         prior year\xe2\x80\x99s planning effort, along with special requests for new or\n         increased funding.\n         Management agreed with the recommendation.                                            6/30/00       Procedures for          N/A         Yes\n                                                                                                             categorizing IT\n 3       DIRM indicated it had undertaken work through the IT Technical                                       investments.\n         Committee to implement the recommendation. An IT Technical\n         Committee subcommittee has reviewed both the definitions and handling\n         of the various project types. Their preliminary recommendations were\n         presented on March 2, 2000 to the IT Technical Committee. Committee\n         input is being solicited and final procedures for categorizing IT\n         investments will be developed later in 2000, in time to support IT planning\n         for 2001.\n         Management agreed with the recommendation.                                            6/30/00      IT subcommittee          N/A         Yes\n                                                                                                          recommendations for\n 4       DIRM stated it agreed with the OIG\xe2\x80\x99s concern about the amount of funding                         improved evaluation\n         devoted to \xe2\x80\x9cOther Development\xe2\x80\x9d projects in 2000 without the benefit of                                 of \xe2\x80\x9cOther\n         ranking or other meaningful IT Technical Committee evaluation. The IT                               Development\xe2\x80\x9d.\n         Technical Committee has formed a subcommittee that will formulate\n         recommendations for improved evaluation of \xe2\x80\x9cOther Development\xe2\x80\x9d to ensure\n         that this category of projects is dealt with appropriately.\n         Management agreed with the recommendation.                                                           Completion of          N/A         Yes\n                                                                                                          updates to the FDIC\xe2\x80\x99s\n 5       DIRM stated that the DIRM Principal Staff met in February 2000 to draft              3/31/2000   Strategic Plan\xe2\x80\x99s goals\n         updates to the IT goals and objectives that are key to the Plan. DIRM                               and objectives.\n         expected to complete the updates by March 31, 2000.\n\n         DIRM also is identifying performance indicators that provide information\n         on DIRM\xe2\x80\x99s progress in achieving IT Strategic Goals and Objectives.                   1/31/2001   In addition,\n         Information about these indicators will serve as the basis to develop a                          implementation of a\n         performance measurement program to improve IT practices, environments                            long term plan for an\n         and services; to identify risk areas; and to identify future measurable goals                    effective performance\n         and objectives.                                                                                  measurement\n                                                                                                          program.\n\n\n                                                                                         32\n\x0c                                                                                             Expected          Documentation That                 Management\n Rec.                                                                                       Completion         Will Confirm Final      Monetary    Decision:\nNumber          Corrective Action: Taken or Planned / Status                                   Date                   Action           Benefits    Yes or No\n         Management agreed with the recommendation.                                         3/31/2000            Copies of new          N/A          Yes\n                                                                                                                financial status\n 6       As of March 2000, DIRM began providing the IT Technical Committee                                   reports on IT projects.\n         monthly financial status reports for IT projects, to provide the information\n         that the Committee needs to support the ongoing monitoring of IT projects.\n         Management agreed with the recommendation.                                         12/31/2000        Written procedures         N/A         Yes\n                                                                                                               implementing the\n 7       As an interim measure, DOF stated it would initiate a program in                                    project based version\n         conjunction with DIRM to collect budgets and expenses for development                               of Pillar for the 2001\n         projects, using DIRM\xe2\x80\x99s project based version of Pillar for the 2001 budget                           budget formulation.\n         formulation. In addition, DOF and the CFO proposed a plan to develop a\n         long-term solution to address the recommendation, through a financial\n         modernization project that is currently underway.\n         Management agreed with the recommendation.                                              6/30/00      Recommendation to          N/A         Yes\n                                                                                                                 the IT Technical\n 8       DIRM stated it would recommend a change in the methodology to the IT                                Committee to change\n         Technical Committee. If approved, DIRM said it would make the                                        PIR procedures, and\n         necessary documentation changes and issue a memorandum to DIRM                                       issuance of memo to\n         Application Systems Management and all Program Managers reinforcing                                   DIRM Application\n         this revision by June 30, 2000.                                                                     Systems Management\n                                                                                                                 and all Program\n                                                                                                             Managers reinforcing\n                                                                                                                    the revision.\n         Management agreed with the recommendation.                                              3/31/00            Evidence of          N/A         Yes\n                                                                                                               recommendation to\n 9       DIRM stated it would recommend this change to the Technical Committee.                                    the Technical\n         If approved, DIRM said it would make the necessary documentation and                                    Committee, and\n         program changes by March 31, 2001 for the 2001 cycle of PIRs.                                            documentation\n                                                                                                               supporting program\n                                                                                                                  changes, when\n                                                                                                                     approved.\n         Management agreed with the recommendation.                                             See rec. 7   PIR reports with more       N/A         Yes\n                                                                                                                  comprehensive\n 10      DIRM said it would add more comprehensive information in the final PIR                                analysis of cost and\n         reports with regard to original and final cost and schedule information as that                     schedule information.\n         information becomes available.\n\n\n\n\n                                                                                           33\n\x0c'